Amazon ARNs - An explanation
With the complicated web of technologies that Amazon has released with AWS , it is no surprise that it becomes a very complicated mess to accurately identify resources. The need for a common language to identify everything from an EC-2 instance, a S3 bucket or a Route 53 zone. Amazon has answered this with a string format called ARN - Amazon Resource Name.
Any ARN is simply a string that starts with "arn" and is broken up into a number of different components, each a string themselves and separated by a colon. That's it. Everything in AWS, in any part of the world can be identified by this simple string.
Components of an ARN
So the components of an ARN start with "arn" then are followed by each section:
This identifies where in AWS your resource lives. Typically, it is just "aws" but you could use "aws-cn" if you are using AWS in China. Another option is "aws-us-gov" if you are using the government specific cloud.
Amazon now has a general idea of where to look, but now it needs to know what you want. Do you want a S3 bucket, an EC-2 instance, an IAM user? This is where you would specify this. You could use "s3", "ec2" or "iam" for the examples provided in the previous sentence.
Ok, so Amazon now knows what service, and generally where to look for what you want. Some resources need to be more narrowed down. S3 buckets do not need much more information, but something like an EC-2 instance does. You can deploy EC-2 instances in the US datacenter in Virginia (us-east-1), in Norther California (us-west-1) or in Europe such as Ireland (eu-west-1) or Frankfurt (eu-central-1) among a few others.
Ok, now that Amazon has a very good idea of where to start looking, we need to narrow it down a bit more. Who owns the resources we are looking for? Most commonly the namespace is your account number, for example when accessing EC-2. But in S3, the namespace would be your bucket name. It can vary between services, so be sure to look up your service specifically.
The final piece is to identify the precise object you want. In S3, this would be the path to the object. In EC-2 this would be the instance-ID. Each service has its own format and specifics for this part of the ARN, so be sure to research these.
Learning how to format these complicated strings will take some time. You can read more about the details from the AWS documentation directly:
- Amazon Resource Names (ARNs) and AWS Service Namespaces
- This also provides a number of examples of each AWS service